[Dshield] WLAN intregation into corporate Networks.

Johannes Ullrich jullrich at euclidian.com
Wed Oct 8 17:40:22 GMT 2003


> I am looking for tips, experience or practical guide on how to
> implement/integrate Wireless networks to an existing corporate Wired LAN.

difficult topic. Some basic ideas:

The wireless access point (WAP) should live on its own, firewalled,
network segment. Treat it like a modem or external Internet connection.
All connections from the WAP to any kind of protected system should
happen via an encrypted VPN.

Now if you have to provide 'public' access to the Internet, make sure it
is monitored and maybe use something simple like 'nocat' (nocat.net) to
authenticate users (or at least ask them to click a disclaimer).

There is a section in the SANS reading room covering various aspects of
wireless networking: http://www.sans.org/rr/catindex.php?cat_id=68

If you are looking for an off-the shelf solution, check with Sonicall.
They have some firewalls with integrated WAP and VPN concentrator. If I
remember right, they also have a 'guest' feature which will allow guest
to access the Internet from your WAP but nothing else.

Personally, I added another network card to my iptables based firewall.
The WAP is connected to the card. Only ssh is allowed to my DMZ server
(I use PPP over ssh as a simple vpn). web traffic (port 80 only) is
allowed but transparently proxied over squid so I can keep an eye on it.


-- 
--------------------------------------------------------------
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
--------------------------------------------------------------
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net
--------------------------------------------------------------





More information about the list mailing list